Shlayer Mac Trojan Removal — Mac Restore Instructions

Shlayer Mac Trojan Removal — Mac Restore Instructions

This article has been created in order to give you insight on how to quickly remove the Shlayer Mac Trojan from your Mac effectively.

The Shlayer Mac Trojan is a very dangerous threat to all Mac computers as it can install itself silently and lead to data theft. Active infections can be made without any apparent symptoms and depending on the specific hacker instructions different actions can take place. This is the reason why affected users should remove it immediately.

Threat Summary

NameShlayer Mac Trojan
TypeMac OS Adware
Short DescriptionThe Shlayer Mac Trojan installs various malware on the target computers.
SymptomsThe victims may not experience any apparent signs of infection.
Distribution MethodEmails, infected software installers and other methods.
Detection Tool See If Your System Has Been Affected by Shlayer Mac Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Shlayer Mac Trojan.

Shlayer Mac Trojan — How Did I Get It

The Shlayer Mac Trojan is delivered through a complex delivery campaign through malicious advertising. The security analysis reveals that the detected samples are distributed via advanced malvertising payloads.

In this particular case the culprit is a malicious browser extension which is hosted on hacker-controlled sites. The dangerous code is disguised as an Adobe Flash Player installer. This type of attack behavior can be embedded in several different sources of infection besides the malicious sites:

  • Email Messages — The criminals can additionally use phishing tactics that impersonate legitimate companies and services that the users might be using. By falling victim to their body contents or any attached files the fake Adobe Flash Player file will be downloaded and started onto their computers.
  • File Sharing Networks — The payload files can be shared on networks like BitTorrent where such programs are frequently uploaded.
  • Malicious Documents — The Adobe Flash Player installer can be embedded in documents made by the criminals. All of the popular file formats can be affected: text files, presentations, databases and spreadsheets. The built-in contents can link to the dangerous files. The other technique is the automatic start of the file by inserting the required scripts into them. When the document files are opened a prompt will be launched asking the users to enable them. The reason quoted will be to correctly view the document.

Not only is the Adobe Flash Player install a malicious carrier, but also an image that conceals the steganography malware — the virus code will be started as soon as it is opened in the browser window. As the campaign is deemed very large it is estimated that as many as 5MM visitors may have been targeted with it.

The malvertising campaign will deliver the payload carrier which starts the hidden code leading to the Shlayer Mac Trojan installation.

Following the malicious sites and script redirects the victims can also be directed to several ad campaign landing pages. They will deliver another set of malicious application installers, depending on the campaigns. Some of the examples include the following malware copies:

  • Update Flash Now!
  • Windows 10 PC Repair

Shlayer Mac Trojan — Full Description

Upon launching the Shlayer Mac Trojan code the first part of the infection will commence — a shell script decrypting a file found in the Application Resources directory. This malicious file is deployed there in order to hide its appearance from common user locations such as their home folder.

This will start a sequence of a several stage delivery Trojan, including the unpacking of a password-protected ZIP archive containing further malware scripts. The Shlayer Mac Trojan at the moment is configured to lead to other infections. However given its complex modular design it can easily be used for other malicious purposes, including the following:

  • Information Harvesting — The engine can be used to harvest data that can be configured to extract both machine metrics and user information. The first category is used to generate an unique ID that is assigned to each individual machine. This is done via an algorithm that uses list of installed hardware components, user settings and other operating system metrics. It can also directly expose the identity of the victims by looking out for strings that can reveal their name, address, phone number, location and any stored account credentials.
  • System Changes — To facilitate further infections the payload code can make various changes to the compromised machines — configuration files, operating system environment values and user settings.
  • Boot Options Modifications — By accessing the Mac OS computers settings the Shlayer Trojan can set itself or the other deployed payloads to automatically start when the computer is powered on.
  • Additional Payload Delivery — It can be used to deliver other threats to the computers such as miners and ransomware.

Future updates to the Shlayer Mac Trojan can deploy all kinds of other modules.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share